Traditionally, most organizations focused on defensive or reactionary measures against cyber threats. Security products such as those designed to block malicious sites or software and tools to apply patches for vulnerabilities in existing software became a staple in most organizations. On the other hand, security teams were mainly focused on Incident Response activities, hence the term Computer Security Incident Response Team (CSIRT), which is still in use today at many organizations. Although this approach worked against uncomplicated incidents, it had its limitations against more advanced attacks that were discovered over the years such as fileless attacks. Moreover, it did not provide any understanding of the threat actor behavior. To address the shortcomings of the traditional prevention-centric approach, organizations have begun adopting a threat-based cyber defense strategy.
A Perspective Shift
Experts at MITRE suggest that “understanding an attacker’s tactics and techniques is key to successful cyber defense.” With the advent of Threat Intelligence, this has become universal knowledge in the cybersecurity community. And this must also be taken into consideration while forming the security teams for any organization.
To understand threat-based cyber defense, organizations need to shift their perspective from solely focusing on reported security incidents to the spectrum of all relevant cyber threats that can affect them. If we take a look at the cyberattack lifecycle or the “kill chain”, Incident Response only comes into the picture once a threat has materialized in the form of an exploit. Thus, the traditional cybersecurity paradigm only focuses on the latter half of the kill chain. Meanwhile, the threat-based cyber defense approach also includes proactive detection and mitigation as equally important parts of the security strategy.
In the face of an increasingly complex IT architecture and advancing cyber threats, organizations need to shift their focus on threat detection and response. By identifying threats in the early stages of the attack lifecycle, security teams can reduce their Mean Time to Detect (MTTD) and also reduce the Mean Time to Respond (MTTR) by lowering the number of incidents that require a response. By adopting end-to-end threat management processes, organizations can improve their overall security posture and also avoid downstream costs from threats that are blocked in an early stage.
End-to-end Threat Management
Having understood the need for end-to-end threat management, let us glance through the key elements that can help organizations build such capabilities.
- Cyber Threat Intelligence Analysis - Security teams can gather threat information from past events and a variety of internal and external Intel sources. By combining this knowledge with the analysis of threat actors’ tactics, techniques, and procedures (TTPs) and observed attack indicators, security practitioners can find improved ways to anticipate, prevent, detect, and respond to cyberattacks. This helps defend against threats at the early stages of the attack lifecycle.
- Information Sharing and Collaboration - The fight against cyber threats does not have to be fought all alone. Through information sharing and other collaborative cyber defense efforts, organizations can gain a headstart and maintain an edge over the threat actors by utilizing the combined knowledge base from all stakeholders. Moreover, when one organization is affected by a targeted threat, peer organizations can help ensure that the threat is contained and prevented from spreading further in the target group.
- Threat Response Automation - By using automation to boost threat response processes, security teams can drastically improve the pace of response. Automation also provides other benefits such as reduced false positives, improved consistency in security processes, faster threat investigation, and more. It helps avoid the limitations arising from human dependency, thereby enabling security teams to perform threat response in a much more timely and effective manner.
- Cyber Fusion - Cyber Fusion is a force-multiplier technology with a positive impact on many aspects of security operations. By bringing diverse security functions under a single roof, Cyber Fusion provides the perfect platform to maintain visibility, govern effectively, cut bottlenecks, leverage all information sources, improve collaboration, fasten response, and more. Thus, Cyber Fusion provides the stepping stone to build end-to-end threat management capability.
The Final Word
Like most other business functions, cybersecurity is also a dynamic process. The old ways of relying on a suite of fixed solutions cannot work in the age of expanding attack surfaces and highly-resourceful threat actors. It is time for all organizations to take a more proactive stance on cybersecurity by adopting a threat-based cyber defense strategy.
Posted on: January 17, 2020